SYSVOL is a target for attackers who want to gain unauthorized access to the domain. An attacker accessing a domain is catastrophic to any organization. We commonly see early stage attacks beginning withe SYSVOL enumeration. Fortunately, there are ways to detect SYSVOL exploits and stop an attack in progress.
What is SYSVOL?
System Volume (SYSVOL) is a shared folder within the hard disk of each domain controller in a domain. It contains essential components required for the proper functioning of Microsoft Active Directory, including Group Policy Objects (GPOs), and scripts. It also contains other components that allow domain controllers to share system policies with client computers.
By default, the location of SYSVOL is C:\Windows\ SYSVOL, but it can be moved to a different address when a domain controller is promoted.
Exploiting SYSVOL
SYSVOL stores information related to the GPOs. Administrators use GPOs to define and enforce security policies for user and computer configurations across an Active Directory environment. These policies can include password requirements, such as length, complexity, and expiration intervals. These can provide attackers with valuable information to use in brute force attacks.
It can also contain scripts that are executed when a user logs in, such as login scripts that map network drives or install software. Attackers can modify these scripts to execute malicious code or create backdoors that allow them to gain persistence within the network.
Attackers may also attempt to locate GPO backup files within SYSVOL. These files contain information about the domain’s security settings and can be used by attackers to reverse engineer security policies and exploit vulnerabilities.
You can find out more about attacks involving SYSVOL here (https://adsecurity.org/?p=2362) and here (https://attack.mitre.org/techniques/T1552/006/)
How To Detect SYSVOL Exploits With a Honeyfile
To detect this directory scanning we must first create two honeyfiles in the SYSVOL directory. You can learn more about active deception in this article.
- Run the PowerShell script found in our github. This will create a the datasources.xml and registry.xml files in the “C:\Windows\SYSVOL\domain\Policies” directory.
- This generates Windows Event ID 5145
- For your Domain Controllers, enable “Success” and “Failure” in the following Group Policy Setting.
Computer
Configuration>Policies>Windows Settings>Security Settings>Advanced Audit Policy>
Configuration>Object
Access>Audit Detailed File Share
How Can Blumira Help?
Blumira has a detection called “SYSVOL Enumeration of Saved Credentials” to look for this attack in your environment. This is automatically built into its cloud-based XDR + SIEM platform.
This detection is considered a Priority 1 Suspect for two reasons:
- If the canary file is present, that indicates a user has purposefully placed it there and has enabled the detection.
- Blumira would only trigger a false positive for this detection if there was a backup solution or another software scanning the file remotely. Adding detection filters can remediate any false positives.
Blumira detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. And our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
While monitoring SYSVOL activity is crucial for detecting potential attacks, it's just one piece of your organization's security puzzle. Understanding your complete external attack surface is equally important in preventing unauthorized access to your domain.
Want to identify potential security vulnerabilities before attackers do? Sign up for Blumira's free Domain Security Assessment. It automatically scans your publicly accessible assets - including domain controllers and network shares - and provides actionable security insights in minutes.
Amanda Berlin
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
More from the blog
View All PostsHow to Optimize Windows Logging for Security
Read MoreActive Windows Exploits: CVE-2020-1472 & CVE-2019-1040
Read MoreDetecting Log4j Exploits Leading to Ransomware
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.